TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
666
Signature ID: 30061
Oracle Database Server SYS.DBMS_EXPORT_EXTENSION SQL Injection Vulnerability
Threat Level: Warning
Industry ID: CVE-2006-2081 CVE-2006-2505 CVE-2006-1887 Bugtraq: 17590,17699
Signature Description: Oracle Database Server is a commercial relational database application suite. A vulnerability
exists in Oracle PL/SQL Export Extensions that allows an attacker to gain privileges to modify database information.
Oracle extensions are used to create customized Oracle database constructs. An indextype is an Oracle extension that
allows users to create specialized indexes on an Oracle database. To create a new indextype, the ODCIIndex Interface
must be implemented, meaning that certain methods specified in that interface must be defined. The
ODCIIndexGetMetadata(...) routine is one such method in the ODCIIndex Interface. When the ODCIIndex Interface is
implemented for a new indextype, the ODCIIndexGetMetadata(...)routine is used to specify how metadata for that
indextype should be handled. DBMS_EXPORT_EXTENSION is a built-in Oracle package used to import and export
information in an Oracle Database. The DBMS_EXPORT_EXTENSION package implements the ODCIIndex
Interface ODCIIndexGetMetadata(...) routine. Note that this package is owned by SYSDBA, but is accessible to the
PUBLIC by default. The DBMS_EXPORT_EXTENSION package fails to properly sanitize user-controlled input.
Specifically, if the GET_DOMAIN_INDEX_METADATA(...)routine is executed with the
ODCIIndexGetMetadata(...)routine and attacker-supplied SQL commands, the SQL commands will be executed with
SYSDBA privileges. This may allow the attacker to access and modify sensitive information within an Oracle database.
Signature ID: 30062
Oracle Application Server Forms Command Execution Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-2372 Bugtraq: 14319
Signature Description: Oracle Forms Services is a framework based upon application server technology that has been
optimized to deploy Oracle Forms applications in a multi-tiered environment. Oracle Forms Service versions 4.5, 5.0,
6.0, 6i, 9i, and 10g could allow a remote attacker to execute arbitrary Oracle Form Files on the system. Oracle Forms
Services starts forms executables (*.fmx) from any directory and any user on the application server. An attacker can
upload a form executable via WebDav. The attacker could then send a specially-crafted form or module parameter to
cause the server to execute the malicious file onto the targeted user's system. The file will be executed with Oracle user
privileges on a Unix operating system and with SYSTEM privileges on a Windows-based system. No patch
information is available but some workarounds are suggested. This signature detects traffic that can trigger the
vulnerability on TCP port 7779.
Signature ID: 30063
Oracle Application Server Forms Command Execution Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-2372 Bugtraq: 14319
Signature Description: Oracle Forms Services is a framework based upon application server technology that has been
optimized to deploy Oracle Forms applications in a multi-tiered environment. Oracle Forms Service versions 4.5, 5.0,
6.0, 6i, 9i, and 10g could allow a remote attacker to execute arbitrary Oracle Form Files on the system. Oracle Forms
Services starts forms executables (*.fmx) from any directory and any user on the application server. An attacker can
upload a form executable via WebDav. The attacker could then send a specially-crafted form or module parameter to
cause the server to execute the malicious file onto the targeted user's system. The file will be executed with Oracle user
privileges on a Unix operating system and with SYSTEM privileges on a Windows-based system. No patch
information is available but some workarounds are suggested. This signature detects traffic that can trigger the
vulnerability on TCP port 8888.